This document provides guidance on diagnosing and resolving common issues encountered when using Azure Virtual WAN. Virtual WAN is a networking service that brings together networking, security, and routing functionalities into a single operational interface.

Connectivity Issues

No Connectivity Between Hub and Spoke VNets

If you cannot reach resources in a spoke VNet from another spoke VNet or from on-premises through the hub, consider the following:

• Hub Route Table Propagation: Verify that routes from spoke VNet 1 are being advertised to the hub's route table and then propagated to spoke VNet 2. Check the effective routes in both the hub and spoke VNets.
• VNet Peering Configuration: Ensure that VNet peering between the hub and spokes is configured correctly, with "Get transitive members" and "Allow transitive members" enabled on the hub's peering.
• Network Security Groups (NSGs): Confirm that NSGs applied to subnets in the spoke VNets do not block traffic. Pay attention to inbound rules for traffic originating from the hub and outbound rules for traffic destined to the hub.
• Resource IP Configuration: Double-check the IP address ranges and subnet configurations in both the hub and spoke VNets to avoid overlaps or incorrect routing.

On-Premises Connectivity Issues

If your on-premises network cannot connect to resources within Azure VNets via Virtual WAN:

• VPN/ExpressRoute Connection Status: Check the status of your Site-to-Site VPN or ExpressRoute connections in the Azure portal. Ensure they are 'Connected' and that there are no BGP route advertisements or connectivity issues reported.
• On-Premises Firewall/Router: Verify that your on-premises firewall or router is configured to allow traffic to and from the Azure VPN Gateway or ExpressRoute circuit. Check for any access control lists (ACLs) or security policies that might be blocking traffic.
• BGP Peering: If using BGP, ensure that BGP sessions are established between your on-premises router and the Azure VPN Gateway. Check BGP neighbor status and route advertisements.
• IPsec/IKE Policies: For VPN connections, ensure that the IPsec/IKE Phase 1 and Phase 2 proposals (encryption, integrity, Diffie-Hellman group, lifetimes) are compatible between your on-premises device and the Azure VPN Gateway.

Performance Issues

High Latency or Low Throughput

To address performance bottlenecks:

• Gateway SKU: Ensure you are using an appropriate Virtual WAN VPN Gateway or ExpressRoute Gateway SKU that meets your throughput requirements. Scaling up the SKU can often resolve performance issues.
• Number of Connections: If you have a very large number of site-to-site connections, consider the capacity limitations of the VPN Gateway SKU.
• Network Path: Analyze the network path between your source and destination. Use tools like tracert (Windows) or traceroute (Linux) to identify potential latency points.
• Azure Service Health: Check Azure Service Health for any ongoing network incidents in the region where your Virtual WAN resources are deployed.
• ExpressRoute Circuit Bandwidth: If using ExpressRoute, ensure your purchased bandwidth is sufficient and that you are not experiencing congestion on the Microsoft peering or your provider's network.

Routing Issues

Incorrect Routing or Traffic Not Reaching Destination

Routing is a critical component of Virtual WAN. Here's how to troubleshoot:

• Effective Routes: This is your primary tool. Examine the effective routes in the hub's route table and in each spoke VNet. Ensure that routes are being learned and propagated as expected.
• Static Routes: If you have configured static routes in the hub or spokes, verify their correctness and ensure they don't conflict with BGP-learned routes.
• Hub Routing Preference: Understand how traffic is routed (e.g., via the hub or directly between spokes). The routing configuration in the hub dictates this.
• BGP Route Advertisements: For VPN and ExpressRoute, confirm that your on-premises devices are advertising the correct routes to Azure and that Azure is advertising the correct routes back. Use the 'Effective routes' view for the VPN/ExpressRoute connection.
• Connection-Specific Routes: Each connection (e.g., VNet connection, site-to-site VPN connection) has its own routing configuration. Ensure these are set up to use the hub's routing policies.

IP Address Overlap

Ensure there are no overlapping IP address spaces between VNets connected to the same Virtual WAN hub, or between on-premises networks and Azure VNets, unless explicitly managed by routing.

Troubleshooting Tools

Azure provides several tools to help diagnose Virtual WAN issues:

• Azure Network Watcher: Use features like Connection Troubleshoot, IP Flow Verify, Next Hop, and Packet Capture to gain insights into network traffic flow and connectivity.
• Azure Monitor: Monitor metrics for VPN Gateways, ExpressRoute Gateways, and Virtual Hubs to identify performance or availability issues.
• Diagnostic Settings: Configure diagnostic settings for your Virtual WAN resources to send logs to Log Analytics, Storage Accounts, or Event Hubs for deeper analysis.
• Network Shell (Netsh) and PowerShell: Use these command-line tools on your VMs to test network connectivity and troubleshoot local network configurations.

Common Scenarios and Solutions

Scenario	Potential Causes	Recommended Actions
No traffic between two spoke VNets	Incorrect hub routing, NSGs blocking traffic, VNet peering not transitive	Check hub effective routes, review NSGs, verify VNet peering settings
On-premises sites cannot connect to Azure	VPN/ER connection down, firewall blocking, incorrect BGP	Check connection status, firewall rules, BGP neighbor status
Slow performance for remote users	Insufficient VPN Gateway SKU, network congestion	Upgrade VPN Gateway SKU, check latency to gateway
New VNet not reachable	Missing VNet connection to hub, incorrect route propagation	Create VNet connection, verify hub routes

If you continue to experience issues, consider opening a support request with Microsoft Azure, providing as much detail as possible about your configuration and the problem you are facing.